[SLE Team] [CWG-Stewardship] SLE update - ICANN seeks to delay SLE Accountability reporting......

David Conrad david.conrad at icann.org
Wed Oct 14 01:39:37 UTC 2015


On 10/13/15, 11:41 AM, "James Gannon" <james at cyberinvasion.net> wrote:
>As a security guy in my day job I share your concern about the
>apparent/potential lack of an audit trail and transaction log for this
>system, I cannot see this being the case in reality given ICANNs recent
>security issues I would think that systems closest to the root would be
>heavily logged and tracked.

While I make no claim to being "a security guy" (I have a number of actual
"security guys" reporting to me and I know what I don't know), I do have a
bit of background in software engineering and software development
management.  I believe it would be a mistake to make assumptions about
code based on nearly decade old third-hand hearsay about how that code has
been implemented.

The point here is not about having an audit trail and transaction logging,
both of which the existing Root Zone Management System has. The point is
that the SLE Working Group has demanded metrics on actions that, in some
cases, are not logged simply because we didn't see the need.  For example,
despite numerous arguments against it, the SLE Working Group has demanded
we measure "The time the automation system takes from when the last
required confirmation is received, until the business process logic
progresses the request to the next logic state."  From a conceptual point
of view, currently in the RZMS code base when the last confirmation is
received, a while loop conditional fails (that is, "do we have to wait
more?") and the next logic state is entered.  To implement this metric we
will have to insert code immediately after the termination of the while
loop and before the _immediate next executable statement_ which is the
update of the logic state.  I remain a bit mystified as to what this is
supposed to measure, but at this point my job is to see that it is
implemented in a way that doesn't impact the security and stability of
ICANN's Root Zone Management System (not too hard in that particular

>This is a troubling point and one that should be taken up by senior ICANN
>staff/board members if necessary and our co-chairs at the earliest
>possible juncture.

Feel free.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4673 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/dt1/attachments/20151014/22ec7aa9/smime-0001.p7s>

More information about the dt1 mailing list